Frank Küster wrote:
> The upstream patch applies cleanly to xpdf/Stream.{cc,h} in sarge, but
> JPXStream.cc does not exist. But the functions might still be defined
> elsewhere.
>
> The patch does not apply cleanly, except for Stream.h, in woody, but at
> least one affected line in Stream.cc *does* exist.
>
> As I said previously, I will not be able to work on this.
The original patch was not sufficient. I'm attaching the entire and the
incremental patch. Please apply the incremental patch to the version in
sid as well.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
diff -u tetex-bin-2.0.2/debian/changelog tetex-bin-2.0.2/debian/changelog
--- tetex-bin-2.0.2/debian/changelog
+++ tetex-bin-2.0.2/debian/changelog
@@ -1,3 +1,20 @@
+tetex-bin (2.0.2-30sarge2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Adjusted the former patch
+ * Applied missing bits found by Ludwig Nussel
+
+ -- Martin Schulze <joey@infodrom.org> Fri, 9 Dec 2005 11:25:16 +0100
+
+tetex-bin (2.0.2-30sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Partially applied patch from xpdf upstream to fix buffer overflows
+ [libs/xpdf/xpdf/Stream.cc, libs/xpdf/xpdf/Stream.h, CAN-2005-3191,
+ debian/patches/patch-CVE-2005-3191]
+
+ -- Martin Schulze <joey@infodrom.org> Thu, 8 Dec 2005 10:19:45 +0100
+
tetex-bin (2.0.2-30) unstable; urgency=low
* Restore debian/watch and don't keep the recovered control file in
diff -u tetex-bin-2.0.2/debian/rules tetex-bin-2.0.2/debian/rules
--- tetex-bin-2.0.2/debian/rules
+++ tetex-bin-2.0.2/debian/rules
@@ -57,6 +57,8 @@
patch -p1 -Ni debian/patches/patch-CAN-2005-0064
patch -p1 -NRi debian/patches/patch-mandash || true
patch -p1 -Ni debian/patches/patch-mandash
+ patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true
+ patch -p1 -Ni debian/patches/patch-CVE-2005-3191
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./texk/
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./utils/texinfo/
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./config/
@@ -95,6 +97,7 @@
# Add here commands to clean up after the build process.
# Make sure all of our expected symlinks are in place
sh debian/restore-symlinks
+ patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true
patch -p1 -NRi debian/patches/patch-mandash || true
patch -p1 -NRi debian/patches/patch-CAN-2005-0064 || true
patch -p1 -NRi debian/patches/patch-CAN-2004-1125 || true
only in patch2:
unchanged:
--- tetex-bin-2.0.2.orig/debian/patches/patch-CVE-2005-3191
+++ tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191
@@ -0,0 +1,113 @@
+--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.h
++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.h
+@@ -225,6 +225,8 @@
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -242,6 +244,7 @@
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
+only in patch2:
+unchanged:
+--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc
++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc
+@@ -404,18 +404,33 @@ void ImageStream::skipLine() {
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
+ nVals = width * nComps;
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+@@ -981,6 +996,10 @@ LZWStream::LZWStream(Stream *strA, int p
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+@@ -2860,6 +2879,10 @@ GBool DCTStream::readBaselineSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2886,6 +2909,10 @@ GBool DCTStream::readProgressiveSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2908,6 +2935,10 @@ GBool DCTStream::readScanInfo() {
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3178,6 +3209,10 @@ FlateStream::FlateStream(Stream *strA, i
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
diff -u tetex-bin-2.0.2/debian/changelog tetex-bin-2.0.2/debian/changelog
--- tetex-bin-2.0.2/debian/changelog
+++ tetex-bin-2.0.2/debian/changelog
@@ -1,3 +1,11 @@
+tetex-bin (2.0.2-30sarge2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Adjusted the former patch
+ * Applied missing bits found by Ludwig Nussel
+
+ -- Martin Schulze <joey@infodrom.org> Fri, 9 Dec 2005 11:25:16 +0100
+
tetex-bin (2.0.2-30sarge1) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -u tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191 tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191
--- tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191
+++ tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191
@@ -21,7 +21,7 @@
unchanged:
--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc
+++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc
-@@ -404,18 +404,33 @@
+@@ -404,18 +404,33 @@ void ImageStream::skipLine() {
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
int widthA, int nCompsA, int nBitsA) {
@@ -56,7 +56,7 @@
}
StreamPredictor::~StreamPredictor() {
-@@ -981,6 +996,10 @@
+@@ -981,6 +996,10 @@ LZWStream::LZWStream(Stream *strA, int p
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -67,7 +67,7 @@
} else {
pred = NULL;
}
-@@ -2860,6 +2879,14 @@
+@@ -2860,6 +2879,10 @@ GBool DCTStream::readBaselineSOF() {
height = read16();
width = read16();
numComps = str->getChar();
@@ -75,14 +75,32 @@
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2886,6 +2909,10 @@ GBool DCTStream::readProgressiveSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components in DCT stream", prec);
++ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -3178,6 +3205,10 @@
+@@ -2908,6 +2935,10 @@ GBool DCTStream::readScanInfo() {
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3178,6 +3209,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
Attachment:
signature.asc
Description: Digital signature